Comments on: Quickies: PalmConnect USB Drivers, Password Decoding

Beta PalmConnect USB Drivers for Win2K
Palm Inc. has released a software driver update that will allow PalmConnect USB adapter users to use the serial to USB adapter on PCs running Windows 2000. This is a pre-release version of these drivers. This software is being provided to users, 'as is', and is unsupported by Palm. -Ed

Password Retrieval and Decoding
SecuriTeam.com has an article on ways to crack the fairly simple encryption on the password used by Palm's built-in Security application. As this article says, "It is possible to obtain an encoded form of the password, determine the actual password due to a weak, reversible encoding scheme, and access a user's private data". -Athan

Return to Story - Permalink

Article Comments

 (6 comments)

The following comments are owned by whoever posted them. PalmInfocenter is not responsible for them in any way.
Please Login or register here to add your comments.

Comments Closed Comments Closed
This article is no longer accepting new comments.

Down

But it's even easier to get confidential data...

I.M. Anonymous @ 10/1/2000 8:49:28 PM #
Just find the user's Palm Desktop data files...

I wasn't under the impression that it was meant to be terribly secure...

Matt

RE: But it's even easier to get confidential data...
GregGaub @ 10/2/2000 1:46:44 AM #
Yeah, encrypting the password is a waste of time. For real security, encrypt the data itself. There are lots of encryption programs out there already.

I truly hope...

EGarrido @ 10/2/2000 7:37:56 PM #
That people don't actually rely on the security features built into Palms. Just by looking at it, one can simply deduct it isn't exactly something you'd trust anything secret with. I'll have to mess around with the app that they made. That'll be amusing

Palm Data isn't secure in the first place.

I.M. Anonymous @ 10/3/2000 3:18:26 AM #
While SecuriTeam.com may be security experts, they certainly aren't Palm experts. While there may be a problem with the Palm passwords, it doesn't really matter, because the information on the Palm isn't secure in the first place.

Palm 'secret' files aren't actually secret at all. They're just hidden. Each program written for the Palm is supposed to take account of hidden records and not show them.

However, there's nothing forcing applications to obey this rule. Also, hidden records are just stored in the Palm like any other record, without any form of encryption.

So, any resonable Palm developer can write programs to access your hidden data either on the Palm or during a HotSync. Also, any database reader can be used by anyone to look at all the records on the Palm including hidden ones.


Because of this, you should never use the built-in Palm hidden / secret functionality to store private or sensitive data, as it's just not safe at all.

If you wish to store such information on the Palm, you'll want to get some special software that encrypts the information stored. That way not only does it need a password to access it, but anyone looking at the record will just see encypted gobble-de-gook.

There are various encytpion programs on the market, most are either Encypted Memo Pad programs or specific password / pin-code storing applications.

Cheers
Russell

Russell K Bulmer
Noble(star
http://noblestar.com

rbulmer@noblestar.com
+44 797 082 3259


Real connection

I.M. Anonymous @ 10/5/2000 2:11:56 AM #
Looking forward to Palm’s release of USB port cable for Palm IIIx.

I am writing from a school yard in Malaysia.

Insecure pass?

Dan @ 10/9/2000 12:08:57 PM #
I think that there is a huge difference between poor data protection (which I understood) & poor protection of the password itself. A lost pass would compromise more privacy than just the contents of my palm.
Top

Account

Register Register | Login Log in
user:
pass: